DNS / DCs

[FAM]

Im currently trying to implement a Win2k3 server into a Linux/NT4 enviroment but im having a few issues with DNS resolution. The DNS normally runs fine on a seperate Linux server (.22) and i have also tried setting this up on the Win2k3 one, but when i run the netdiag command it comes up with the erros below.

---------------------------------
IP Address . . . . . . . . : 192.168.1.24
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.1.22
Primary WINS Server. . . . : 192.168.1.2
Dns Servers. . . . . . . . : 192.168.1.22
192.168.1.24
217.22.144.10

Global results:
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.

DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.1.22'. Please wait for 30 minutes for DNS server replication.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.1.24'. Please wait for 30 minutes for DNS server replication.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '217.22.144.10'. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for host/zeus.

LDAP test. . . . . . . . . . . . . : Failed
[WARNING] The default SPN registration for 'HOST/ZEUS' is missing on DC 'zeus'.
[FATAL] The default SPNs are not properly registered on any DCs.

IP Security test . . . . . . . . . : Skipped

The command completed successfully
---------------------------------

Any suggestions on trying to clear up the errors?

 

[JimWells]

When you ran DCPROMO the first time, was your server's own IP listed as a DNS server?

Might try isolating the DNS servers in your config (i.e. one at a time) and restarting the NETLOGON service. Upon starting, NETLOGON will try to detect SMALL errors/missing records and update them.

 

[FAM]

Jim,
Yeah im pretty sure i put it in originally, it is the (.24) address which ive now changed to the localhost address 127.0.0.1, but surely if i isolate them 1 by 1, is it not going to have the same issues?

Also, Ive managed to get a bit further with regards to Kerberos & ldap, the errors now are,

----------------------------
DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.1.22'. Please wait for 30 minutes for DNS server replication.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '127.0.0.1'. Please wait for 30 minutes for DNS server replication.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '217.22.144.10'. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.


Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for host/zeus.

LDAP test. . . . . . . . . . . . . : Failed
[FATAL] Cannot do Negotiate authenticated ldap_bind to 'zeus': Invalid Credentials.
[WARNING] The default SPN registration for 'HOST/ZEUS' is missing on DC 'zeus'.
[FATAL] No LDAP servers work in the domain 'NEMI-CAI0'.
-----------------------------
I believe these two errors could be sorted if i upgraded my samba version from 2.2 to 3 see (

http://www.thechannelinsider.com/article2/0,1759,1647348,00.asp)

Thanks

 

[ITPangaeaArchitect]

ok heres the deal, if this is a DC, he must be pointing to himself for preferred DNS...from there, you should be using forwarders to the Linux junk out there (I say junk because as far as AD is concerned, it is not the best to use...for all you Linux fans )

It looks like your Linux does not support dynamic updates and/or SRV records....

dont worry too much about this:
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.



so the bottom line here:
1. point the Win2003 DC to himself and himself only
2. create forwarders to the ISP and Linux DNS server
3. point all domain clients to the Win2003 domain DCs only for DNS


If this is not a DC, you should still create a zone on this box and forward to the Linux box and/or ISP

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there

 

[FAM]

ADgod,

You are correct in saying the "linux does not support dynamic updates and/or SRV records".

I did as you have suggested and running the test again its coming up with,

-----------------
DNS test . . . . . . . . . . . . . : Failed
[WARNING] Cannot find a primary authoritative DNS server for the name
'zeus.xxxxxx.yyyyy-uk.com.'. [RCODE_SERVER_FAILURE]
The name 'zeus.xxxxxx.yyyyy-uk.com.' may not be registered in DNS.
[WARNING] The DNS entries for this DC are not registered correctly on DNS server '192.168.1.24'. Please wait for 30 minutes for DNS server replication.
[FATAL] No DNS servers have the DNS records for this DC registered.
-----------------

I have waited the 30 minutes,

Any suggestions? Thanks

 

[ITPangaeaArchitect]

ok after pointing the PDC to himself and himself only, you must restart the netlogon service (an alternative, since you are using netdiag, is netdiag /fix, but I recommend cycling netlogon)

then rerun netdiag /v and see if it still has the same errors, if it does, well figure out whats wrong with your DNS zone itself (its possibly set to no dynamic updates)
the 30 minute message regarding replication is if you have multiple DCs and you happen to be pointing to another dfor DNS, then it can take soem time to converge that record back to another DC

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there

 

[FAM]

ADgod,

Thanks for your suggestions, i tried the 1st recommendation but to no avail. The 2nd part i noticed in the general settings is,

Forward Zone
Type: Active Directory-Integrated
All DNS Servers in the AD domain
Dynamic Updates: Nonsecure and Secure

Reverse
Type: Active Directory-Integrated
To all domain controllers in the AD domain
Dynamic Updates: Nonsecure and Secure (Ive changed this from just Secure)

Do these look normal? Thanks

 

[ITPangaeaArchitect]

ok what is your FQDN?
what is your DNS zone name?
are the advanced tcp/ip properties at their defaults?
do you have a _msdcs container in your DNS zone?

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there

 

[FAM]

FQDN is :- zeus.XXXX-XXX.YYYYYY-uk.com
DNS Zone Name:- XXXX-XXX.YYYYYY-uk.com

TCP/IP at there defaults: They should be right...
-----------------
IP= 192.168.1.24
SM= 255.255.255.0
DG= 192.168.1.22 (Linux Box - Normally right???)
DNS= 192.168.1.24
WINS=192.168.1.24
DHCP Enabled: No
DNS Suffix Search List: XXXX-XXX.YYYYYY-uk.com
YYYYYY-uk.com
Connection-specific DNS Suffix: XXXX-XXX.YYYYYY-uk.com
IP Routing Enabled - Yes
WINS Proxy Enabled - Yes
-----------------
i have a _msdcs container = _msdcs.XXXX-XXX.YYYYYY-uk.com

Cheers

 

[ITPangaeaArchitect]

that is not defaults...there should be no connection specific DNS suffix and no DNS suffix search list on the advanced tcp/ip properties\DNS tab

only things marked should be:
DNS server addresses will be listed
append primary and connection specific dns suffixes should be marked
append the parent suffix of the primary DNS suffix should be checked
register this connections addresses in DNS should be checked
everything else should be blank, unmarked, and unchecked besides these options...if you are setting them through dhcp for you clients.,..this too is a mistake




be sure you have dynamic updates enbaled on your zone as well

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there